Every day I experience life in the world of healthcare IT, supporting 3000 doctors, 18000 faculty, and 3 million patients. In this blog I record my experiences with infrastructure, applications, policies, management, and governance as well as muse on such topics such as reducing our carbon footprint, standardizing data in healthcare, and living life to its fullest.

Monday, May 19, 2008

The Launch of Google Health

BIDMC is now live with Google Health. In the interest of full disclosure, I am a member of the Google Health Advisory Council and have not accepted any payments from Google for my advisory role. BIDMC is also working with Microsoft Health Vault and Dossia.

I'm now at Google Headquarters in Mountain View with the Google Health team - Roni, Missy, Maneesh, Jerry etc. and several dozen reporters.

which are all early integrators with Google Health. At BIDMC, we have enhanced our hospital and ambulatory systems such that a patient, with their consent and control, can upload their BIDMC records to Google Health in a few keystrokes. There is no need to manually enter this health data into Google's personal health record, unlike earlier PHRs from Dr. Koop, HealthCentral and Revolution Health. Once these records are uploaded, patients receive drug/drug interaction advice, drug monographs, and disease reference materials. They can subscribe to additional third party applications, share their records if desired, and receive additional health knowledge services.

A few important notes.

Security and privacy are foundational to Google Health. The privacy policy, with oversight from the Google Health Advisory Council, stipulates that data will never be transfered, sold, mined or released without specific consent of the patient. Patients completely control the content and may remove it any time. This is similar to the Microsoft Health Vault policy.

Security standards include use of certificates, IP address restrictions controlling partner transmissions in and out of Google health, no caching of health data to the desktop (Google desktop will not index Google Health pages) and encrypted transmission.

The data standards underlying Google interoperability include a proprietary form of the Continuity of Care Record, called CCR/G. Google has committed to supporting the standards which have been recognized by HHS Secretary Leavitt including the Continuity of Care Document. The vocabulary standards used by Google and its decision support partner, Safe-Med, include SNOMED CT, LOINC, NDC, RxNorm, and ICD9.

Over the next few months, it will be interesting to see how many of the 40,000 monthly users of BIDMC's Patientsite will elect to use Google Health. Our plan is to continue to support Patientsite but also enpower patients with interoperability to other personal health records that they may find useful.

Our rollout strategy is that we've enabled the Google Health link to 5000 patients with existing Google gmail accounts (based on their Patientsite email addresses). We'll then expand the rollout as rapidly as we can based on our experience with supporting patients who use Google Health. Here's the message we sent out to our Clinicians and their Patients:

"Over the past year, BIDMC has worked with Google Health to integrate Patientsite and Google's new patient portal.

Google Health is a place for patients to gather their data from providers, payers, pharmacies and labs in one place, then receive decision support such as drug monographs, and disease information.

It is an Opt-In service and the patient controls every aspect of the Google Health site.

There is no additional work for you or your practice.

More information will be coming soon and we'll followup next week. Below is the email we'll send to your patients:

Patients who use PatientSite will now be able to upload their records about diagnoses, medications and allergies from PatientSite to Google Health, and then also use Google's specialized medical knowledge features - online reference materials about medical conditions, information about drug safety, questions to ask your doctor, and more.

How will this work? Initially, patients with a Google Gmail email address will have a new link in PatientSite called Google Health that will enable them to optionally use these Google features. We will add this link to additional Patientsite patients over the next few weeks.

These features are completely optional and will always be under the control of the patient. Google will not target advertising to the site, use the data, resell or share this data in any way. At no time will BIDMC share your data with Google without your consent. The decision to participate and share data is completely up to you. If you decide to participate, you can change your mind at any time and not participate. We hope these new features are helpful to you.

33 comments:

Google is supporting a subset of the CCR standard http://code.google.com/apis/health/ . The CCR is an open standard and is not proprietary.

The distinction is important as everything that I've heard Google say tells me they are committed to open health information exchange. Thus, they are supporting both ASTM CCR and HL7 CCD as standards for summary records.

John, you know I love and respect you guys, but what about the concerns voiced by John Grohol over at the e-Patients blog, and me in January on my blog?

Is it correct that this Google service is not subject to HIPAA protections?

And as Grohol asks, if you tell Google to delete all your information, what guarantee can there possibly be that (a) they did so, and (b) it's also been deleted from any partners to whom they gave it? How can Google possibly control that?

I deal with Google almost every day at work, as a buyer of their advertising, and I can say first-hand that they can be real obfuscators. (I have to dissect and recalculate the data in their reports to see what's actually going on, and they change their algorithms at will, with only partial explanations to buyers, and sometimes no explanation at all.)

I just can't see the upside of handing the Googolith your data when there's not a stitch of assurance (other than "trust us, really") that it'll be protected. And for me that went out the door once with the CNet.com hypocrisy episode and a second time with the China cave-in (both in my blog post above).

What do you think about this?? You must believe your patients' data will really be safe with them - why?

HIPAA was created for provider organizations. Google has had to implement privacy policies that are as strong or stronger than HIPAA, since HIPAA does not apply to a third party, non-provider, which acts as a steward of patient data. Here's the detailed comparison of HIPAA to Google's policy.

John, even with the Google document you mentioned many people will have remaining questions about the protection of data privacy in the Google PHR. The issue is important enough to impact negatively the deployment of the PHR in the near future, IMO.

Google will need to be seriously pro-active about these issues if it wants people to embrace the new service and use it. What are the actions that Google intends to take in order to allay our fears?

John, the Google privacy policy may be stronger than HIPAA on paper -- well, on the screen -- but it's effectively toothless, because users have little recourse should their personal data be compromised. Check out the Google Health TOS, which near as I can tell explicitly limits Google's liability in such cases.

I'm increasingly convinced that the lack of HIPAA (or HIPAA-like) privacy protections is going to be a major stumbling block for PHR adoption -- at least for anyone not eligible for Medicare, and thus beyond the reach of insurers' medical underwriters.

If I already extensively use PatientSite and have all of my health records at BIDMC, what would I gain from moving it all to Google Health? I can access PatientSite from afar and even email my providers. Any advantage other than the input from a pharmacy?

Its not quite right to say that Google is entirely unregulated. The Federal Trade Commission will enforce Google's privacy policy, for example.

However, Google is not subject to a variety of other requirements and protections that apply to HIPAA "covered entities." For example, Google need not comply with any standards for user authentication, which could be a real issue given the weak authentication process used by gmail.

The interesting advantage over Patientsite that Google Health may develop is that it is a development platform which thousands of programmers can extend. I expect hundreds of new applications over the next 6 months that will enable patients to get decision support, graph/chart their data, and connect to home health devices like blood pressure cuffs/exercise machines. The utility of Google Health will be measured by the number the patients who decide to use it based on the value add of these new applications

Does anybody know of a blog dedicated to tracking Google Health New Applications? We're trying to conceptualize an HawaiiConnected Care System and Google Health PHR plus future applicationscould be very helpful to our mission of helping baby boomers to age in place. IT innovators welcomed!www.mauiagewave.com

Does google at some point plan to tie up with Insurance companies too such as Aetnas and Cignas of the world to obtain benefit info, claims info, etc. Also in such cases would google provide a product to extract information normalize it and send it to the Google Health Account or is it the responsibility of individual service providers to convert the data into GOOGLE CCR implementation format and send it to them.

The technology is attractive. Issues regarding privacy are significant and there are obviously no guarantees. However, HIPPA itself is doublespeak. HIPPA is more about how little privacy one actually has with their PHI—if you read the fine print. So going to Google may not be so much of a privacy threat in the end. However, the hype saddens me. This technology is accessible only to those who are in a position to have access (i.e. people who are reasonably well-off economically), to those who have Insurance...and assumes we will really see/feel tangible benefits from a closer link to providers/suppliers of healthcare. So, very cool technology with all the right buzz words and standards acronyms. No reason to believe that health care itself will improve or that access to providers will improve.

I think the challenge for PHRs, Google Health, Microsoft HealthVault is the consumer perception of privacy, not whether it is HIPAA compliant. Should physicians and healthcare organizations promote the adoption of these sites as part of the patient enrollment and care process, then they will be successful. John, is this something you have plans to implement in your organization?

To: John HalamkaI just came across this blog and Google Health. I have reviewed the links you provided. As an individual who has worked in politics and in the legal field and who is earning a degree in medicine and will be working in the medical field I have many concerns with Google Health and other online medical records storage systems. I can certainly see the upside to an individual having all of their medical records available for easy access. However, knowing the invasive, continually changing face of the courts and legislative process, I can also see looming in the distance the "big brother" computerized control of an individual's life including courts and legislative members giving rights to employers, schools, financial institutions and others who claim the "right to know" a person's medical history before they make a decision to hire, accept, or work with an individual. This will be especially true if the USA turns over to a socialized healthcare system such as exists in England, Canada and many other countries. I can tell you that over my lifetime of almost six decades the invasion of personal privacy and individual rights has reached levels not imagined in generations past. While Google is going great work in many areas, I can see that this new work will be subject to court and legislative rulings that demand Google turn over all records, as Google already caveats in the current links that I reviewed. There is no reassurance that can be provided that will cover all of the needs of an individual because companies that provide services are themselves open to external control, and therefore they cannot provide assurance of control that they themselves do not have. There are many countries who already have universal electronic medical record documentation and the full effects of who will have access to that information are continuing to be played out in nations around the world. However, it is clear that this is an enormous risk for the rights of the individual in a myriad of venues.

While it's clear various privacy safeguards in place, the future often holds surprises. Government demands for information, security lapses, and technology failures all create the possibility of serious privacy breaches.

In theory, it's a great idea, in practice I believe the risks outweigh the benefits.

I write a blog for ZDNet on IT failures, so my perception is based on hard observation of many situations where good intentions have failed to prevent disaster.

Does anybody know of a blog dedicated to tracking Google Health New Applications? We're trying to conceptualize an HawaiiConnected Care System and Google Health PHR plus future applicationscould be very helpful to our mission of helping baby boomers to age in place. IT innovators welcomed!